# {{ ansible_managed }}
# manual customization of this file is not recommended

{% if item.disabled is undefined or (item.disabled is defined and not item.disabled) or (item.disabled is defined and item.disabled == 'false') %}
protocol {{ item.protocol | default('tcp syn') }} dport ({{ item.dport | join(' ') }}) {

  @subchain "dport-limit-{{ item.dport[0] }}" {
    mod recent name {{ item.dport[0] | upper }} {
      set NOP;
      update seconds {{ item.seconds | default('300') }} hitcount {{ item.hits | default('5') }} @subchain "dport-log-{{ item.dport[0] }}" {
        mod recent set name "badguys" {
          mod limit limit 3/hour limit-burst 5 {
            LOG log-prefix "iptables-blocked-{{ item.dport[0] }}: " log-level warning;
          }
          DROP;
        }
      }
    }
  }

  ACCEPT;
}
{% else %}
# dport_limit rule has been disabled by item.disabled variable
{% endif %}